AVAR Server Monitor

AVAR Server Monitor is a privacy-first WordPress health dashboard, uptime monitor, server diagnostics and security insight toolkit built directly into wp-admin. It helps WordPress administrators understand whether their site is technically healthy, available, secure and running on a reliable server environment — without requiring an external SaaS account. Instead of showing scattered technical data across multiple places, AVAR Server Monitor brings the most important signals into one clear dashboard: uptime, SSL status, PHP and database health, server resources, WP-Cron, security checks, activity log, 404 monitoring, diagnostic exports, database maintenance and more. Know what is wrong before visitors notice WordPress sites often break quietly. A cron task stops running. An SSL certificate gets close to expiration. The database grows. Debug errors are exposed. A plugin update changes something important. A server starts running out of memory. A backup directory may be exposed. A WooCommerce store accumulates technical clutter. AVAR Server Monitor helps you spot these problems early and decide what needs attention first. Site Health Score The main dashboard includes a 0–100 Site Health Score that summarizes the technical condition of your WordPress site. The score is based on weighted categories:

• Core & Updates
• Server Environment
• Security Posture
• Reliability & Monitoring
• Performance & Storage

The score is not just a decorative number. It includes top issues, recommendations, action links and severity caps for critical problems. For example, if a monitored domain is down, an SSL certificate has expired or a snapshot directory is publicly accessible, the score is capped so the site does not appear healthier than it really is. Monitoring and diagnostics in one place AVAR Server Monitor includes practical tools for everyday WordPress administration:

• Uptime monitoring for one or more domains.
• SSL certificate checks and expiration warnings.
• WP-Cron monitor with overdue event detection.
• Server resource overview with CPU, memory, disk and database information.
• WordPress environment overview with versions, plugins, themes and updates.
• Health Advisor for PHP, database, extensions, cache and connectivity checks.
• Security audit for HTTPS, debug exposure, file editor status, readme.html, REST API, XML-RPC and login hardening.
• Core file integrity scan against official WordPress.org checksums.
• Activity Log for important plugin, theme, update, user and login events.
• 404 monitor for frequently requested missing URLs.
• Email alerts for downtime, version changes, resource thresholds and summaries.
• Diagnostic snapshots for troubleshooting and support.
• Safe Client Health Report for communicating technical status to clients or hosting support.
• Database cleanup preview with risk labels, impact descriptions and confirmation flow.
• Maintenance mode with preview, countdown and role-based bypass.

Login security and access control AVAR Server Monitor includes a built-in login security layer, so you can harden wp-admin without adding a separate plugin:

• Two-factor authentication (2FA) with an authenticator app (TOTP — Google Authenticator, Microsoft Authenticator, Authy and others) and/or one-time codes by email, with the method chosen at login when both are enabled. Includes QR-code setup, one-time backup codes, a "require 2FA by role" policy and an optional "remember this browser" duration.
• Brute-force protection with escalating lockouts, an IP allowlist and blocklist (CIDR and wildcard support) and manual block/unblock of active lockouts.
• A persistent, paginated login attempt log with per-IP statistics: failed attempts, incidents, lockouts and successful sign-ins, plus top attacking IPs and most-targeted usernames.
• A login CAPTCHA on the login, registration and lost-password forms — a privacy-first self-hosted math question with honeypot by default, or optional Cloudflare Turnstile, Google reCAPTCHA v2 or hCaptcha with your own keys.
• An optional custom login URL that serves the login page from a secret slug and returns 404 for the default wp-login.php.

These features run locally and require no external account; CAPTCHA providers are contacted only if you explicitly choose one. Privacy-first approach AVAR Server Monitor is not an external monitoring SaaS platform. Most features run locally inside your WordPress installation. The plugin does not require an AVAR cloud account and does not send local health reports, diagnostic snapshots or server data to AVAR servers. Some features may connect to public external services only when needed, such as the WordPress.org API for checksums and version information, or geolocation providers for server location lookup. Built for safety Because monitoring and diagnostics can touch sensitive areas, AVAR Server Monitor includes a dedicated Advanced Tools safety model. Higher-risk tools are locked by default and require explicit activation. Advanced Tools include features such as:

• Diagnostic snapshots.
• Full phpinfo().
• wp-config.php debug switches.
• Cron run/unschedule actions.
• Database cleanup.
• Table optimization.
• Force HTTPS.
• HSTS.
• Selected exports and filesystem operations.

Sensitive actions use capability checks, nonces, confirmations, safety warnings and safer defaults where appropriate. Safer HTTPS and HSTS handling Force HTTPS and HSTS are not simple checkboxes. They are enabled through protected safety flows with pre-flight checks, host validation and typed confirmation for HSTS includeSubDomains. This reduces the risk of locking yourself out of the site or accidentally applying strict HSTS rules to subdomains that are not ready for HTTPS. Database cleanup with preview Database cleanup can be useful, but it should never feel like a blind "delete everything" button. AVAR Server Monitor analyzes cleanup candidates first and shows what can be removed, the risk level and the likely impact. Riskier actions require typed confirmation. Revision cleanup supports retention rules. WooCommerce content in Trash is detected and order-like records are excluded unless explicitly selected. The plugin uses WordPress APIs where appropriate, such as when deleting posts and comments, so other plugins and WordPress hooks can respond correctly. Diagnostic snapshots Diagnostic snapshots are designed for troubleshooting, support and quick technical review. They use private storage by default when possible, long random archive names, self-healing protection files, public-access checks and safer file exclusions. Snapshots are a diagnostic aid, not a replacement for a full disaster recovery backup strategy. For complete recovery protection, use hosting-level backups or a dedicated backup plugin. Who is AVAR Server Monitor for? AVAR Server Monitor is useful for:

• WordPress administrators who want a clear technical overview.
• Freelancers maintaining client websites.
• Small agencies managing business sites.
• WooCommerce store owners who want to catch technical risks early.
• Website owners who want monitoring without an external SaaS account.
• Developers who need quick diagnostics inside wp-admin.
• Support teams that need safe technical reports from clients.

What makes it different? Many tools focus on only one area: uptime, backups, security, debugging, logs or server information. AVAR Server Monitor focuses on the practical day-to-day question most WordPress administrators have: "Is this site technically healthy, and what should I check first?" It combines health scoring, monitoring, security checks, cron visibility, diagnostics, reports and safer maintenance tools into one privacy-first WordPress dashboard. Typical use cases Use AVAR Server Monitor to:

• Check whether your site is currently healthy.
• Monitor uptime and SSL status.
• See if WP-Cron is running correctly.
• Review PHP, database and server environment health.
• Detect security configuration issues.
• Track important plugin/theme/update activity.
• Find repeated 404 requests.
• Export a safe client or support report.
• Review database cleanup candidates before deleting anything.
• Create a diagnostic snapshot for troubleshooting.
• Understand which issues deserve attention first.

Important note AVAR Server Monitor provides monitoring, diagnostics and safety-focused maintenance tools. Some Advanced Tools can change configuration, delete data or access sensitive diagnostic information. Read warnings carefully, keep regular backups and test higher-risk actions on staging sites whenever possible.

1.7.0

• Added two-factor authentication (2FA): authenticator app (TOTP — Google Authenticator, Microsoft Authenticator, Authy and others) and/or one-time codes by email, with the method chosen at login when both are enabled. Includes QR-code setup, one-time backup codes, an optional "require 2FA by role" policy, and an optional "remember this browser" option with an admin-defined duration. No external service.
• Added an optional custom login URL: serve the login page from a secret slug and return 404 for the default wp-login.php (requires pretty permalinks; off by default).
• Added a login CAPTCHA on the login, registration and lost-password forms: a privacy-first self-hosted math question with honeypot by default, or optional Cloudflare Turnstile / Google reCAPTCHA v2 / hCaptcha with your own keys.
• Added a dedicated Login Security module: comprehensive brute-force protection with persistent, per-IP login attempt statistics.
• Every login attempt is recorded (date, IP address, username, result) to a dedicated database table and classified as informational, a possible incident, or an incident.
• Statistics dashboard: failed attempts (24h/7d), incidents, lockouts and successful sign-ins, plus top attacking IPs and top targeted usernames.
• Escalating lockouts (each repeat lockout for the same IP lasts longer, up to 24 hours), IP allowlist and blocklist (with CIDR and wildcard support), and active-lockout management (manual block/unblock).
• Optional email alerts when a lockout is triggered or when an administrator signs in; automatic log pruning with a configurable retention window.
• Detects attacks on admin-like or non-existent usernames and flags them as incidents. Moved login-attempt limiting from the Security tab to the new Login Security tab.
• Branded, mobile-friendly two-step verification screen at login, with a centered QR code on the profile setup page and a paginated login attempt log.

1.6.0

• Added a weighted Site Health Score with Core, Server, Security, Reliability and Performance categories, severity caps, top issues, recommendations and action links.
• Added Safe Client Health Report and improved system exports for support, diagnostics and client communication.
• Improved the Advanced Tools safety model for sensitive actions such as diagnostic snapshots, full phpinfo(), wp-config debug switches, cron management, database cleanup, table optimization and one-click security fixes.
• Improved Force HTTPS and HSTS flows with capability checks, nonces, HTTPS pre-flight checks, host validation and typed confirmation for HSTS includeSubDomains.
• Improved diagnostic snapshots with private storage by default, long random archive names, self-healing directory protection, public-access checks and safer file exclusions.
• Improved database cleanup with a preview-first workflow, risk labels, impact descriptions, batch processing, WordPress API deletion for posts/comments and typed confirmation for risky actions.
• Improved revision cleanup with retention options and safer WooCommerce handling, including warnings for store content and explicit opt-in for order-like records.
• Improved table optimization so it targets only the current WordPress table prefix by default, with an opt-in option for all database tables and clearer performance warnings.
• Improved cron tools so run and unschedule actions target a single event by hook, timestamp and arguments while protecting critical hooks.
• Improved wp-config.php edits with timestamped backups, atomic writes, permission preservation where possible and cancellation when a backup cannot be created.
• Improved REST API restriction with an allowlist and improved login-attempt limiting with IP + username matching and trusted proxy/CDN header support.
• Improved 404 logging, error-log handling and phpinfo access to reduce performance impact and better protect sensitive diagnostic information.
• Improved Health Score signals for downtime, SSL expiry and not-checked states, backup exposure, debug-log size and critical score caps.
• Improved admin navigation and UI organization across Overview, Monitoring, System, Security, Tools and Settings.
• Improved uninstall cleanup options for plugin-created files such as diagnostic snapshots and wp-config/readme backups.
• Fixed multiple HTML, SVG, cleanup, filesystem, directory-scan and WordPress.org readiness issues.

1.5.11

• Added plugin screenshots and aligned screenshot captions.
• Documentation-only update with no functional code changes.

1.5.10

• Initial public release on WordPress.org.
• Added WordPress health, server monitoring, uptime checks, resource history, environment details and server location overview.
• Added security audit tools, SSL checks, cron monitoring, activity logging, 404 monitoring and email alerts.
• Added diagnostic tools including backups/snapshots, database cleanup, table optimization, PHP diagnostics, maintenance mode and system exports.
• Improved WordPress.org readiness, coding standards compliance, filesystem safety and external-service documentation.

Earlier internal builds

• Internal development builds used before the first public WordPress.org release.
• Core monitoring, security, uptime, cron, logging, diagnostics and maintenance features were developed and tested during this phase.